github-personal/labca
1
0
Fork 0
mirror of https://github.com/outbackdingo/labca.git synced 2026-01-27 18:19:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
labca/README_standalone.md
Arjan H 3081eae60f Also allow names in standalone DB config (#198)
2025-09-06 13:34:52 +02:00

139 lines
4.5 KiB
Markdown
Raw Permalink Blame History

# LabCA Standalone Version ![status-experimental](https://img.shields.io/badge/status-experimental-orange.svg)
As the ACME protocol is a standard (<a href="https://tools.ietf.org/html/rfc8555">RFC8555</a>) and not limited to boulder, there also are other implementations, e.g. <a href="https://smallstep.com/certificates/">step-ca</a> from Smallstep&trade; that you can run and manage yourself.
Getting started with step-ca is much easier than starting with boulder. But Smallstep is not providing a self-managed web GUI to easily see what certificates have been issued by step-ca and what their expiry statuses are. In fact they are using a very specific database storage that does not allow you to query the data directly from a normal database client either.
As the structure of the ACME data is pretty standard anyway, this standalone version of the LabCA GUI was created to work with step-ca (and potentially other ACME implementations in the future). It only works with their MySQL backend, as the BadgerDB backend has several limitations.
The standalone GUI is distributed as a single binary so that it can be easily installed and started. There is also a docker image available.
## Usage
### Install package
Download the latest .deb file for your platform architecture from the latest [release](https://github.com/hakwerk/labca/releases) on GitHub.
Install the .deb file:
```
dpkg -i labca-gui_<version>_<arch>.deb
```
The first time you can use the -init flag to create the config file. The location of the config file (default data/config.json), the IP address to listen on (default 0.0.0.0) and the port number (default 3000) can be specified, e.g.:
```
labca-gui -config stepca.json -address 127.0.0.1 -port 8080 -init
```
For consecutive starts you only need to specify the config file if it is not data/config.json
```
labca-gui -config stepca.json
```
The first time you connect to the application, you can create an admin account and specify the MySQL connection details for your step-ca database.
### Docker
When running a docker container you can map local filesystem files or directories as volumes to have the config data outside of the image, e.g.:
```
docker run -it --rm -v /home/username/acme/stepca_config.json:/usr/data/config.json ghcr.io/hakwerk/labca-standalone
```
or
```
docker run -it --rm -v /home/username/acme:/opt/acme ghcr.io/hakwerk/labca-standalone labca-gui -config /opt/acme/stepca.json
```
### Docker Compose
Here is a sample `docker-compose.yml` file for using both StepCA and the LabCA gui:
```
services:
smallstep:
image: smallstep/step-ca
restart: unless-stopped
ports:
- 9000:9000
volumes:
- /mystorage/stepca:/home/step
environment:
DOCKER_STEPCA_INIT_NAME: StepCA
DOCKER_STEPCA_INIT_DNS_NAMES: mydomain
DOCKER_STEPCA_INIT_PROVISIONER_NAME: admin
depends_on:
- db
web:
image: ghcr.io/hakwerk/labca-standalone
ports:
- 3000:3000
volumes:
- /mystorage/labca/config/stepca_config.json:/usr/data/config.json
depends_on:
- db
db:
user: 3020:3020
image: mysql
restart: always
environment:
MYSQL_ROOT_PASSWORD: rootpassword
MYSQL_DATABASE: stepca
MYSQL_USER: stepca
MYSQL_PASSWORD: userpassword
MYSQL_TCP_PORT: 3306
volumes:
- /mystorage/labca/db:/var/lib/mysql
healthcheck:
test:
- CMD
- mysqladmin
- ping
- -h
- localhost
- -uroot
- -prootpassword
interval: 10s
timeout: 5s
retries: 5
networks: {}
```
## systemd service
If you want to have the standalone version running all the time, even after a system reboot, you can create a service with the following steps (with thanks to [budulinek](https://github.com/budulinek)):
```
$ sudo mkdir -p /etc/labca
$ sudo labca-gui -config /etc/labca/labca.json -port 3000 -init
$ sudo useradd --system --home /etc/labca --shell /bin/false labca
$ sudo chown -R labca:labca /etc/labca
$ sudo nano /etc/systemd/system/labca.service
```
Put the following into that service file:
```
[Unit]
Description=LabCA service
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=30
StartLimitBurst=3
[Service]
Type=simple
User=labca
Group=labca
WorkingDirectory=/etc/labca
ExecStart=/usr/bin/labca-gui -config /etc/labca/labca.json
ExecReload=/bin/kill --signal HUP $MAINPID
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=30
StartLimitBurst=3
[Install]
WantedBy=multi-user.target
```
And finally
```
$ sudo systemctl daemon-reload
$ systemctl enable --now labca
```
Reference in New Issue View Git Blame Copy Permalink